From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id ED21E187A2; Fri, 28 Nov 2025 20:27:57 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 40A4B1892D; Fri, 28 Nov 2025 20:27:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb134.google.com (mail-yx1-xb134.google.com [IPv6:2607:f8b0:4864:20::b134]) by atuin.qyliss.net (Postfix) with ESMTPS id 08FF61892B for ; Fri, 28 Nov 2025 20:27:53 +0000 (UTC) Received: by mail-yx1-xb134.google.com with SMTP id 956f58d0204a3-64306a32ed2so1917253d50.2 for ; Fri, 28 Nov 2025 12:27:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361672; x=1764966472; darn=spectrum-os.org; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=etVFMVMejQUHSW8U5QEjl3F3uF7Axh/LtXSgCmG231o=; b=R5TF2SWNkHobCQ2OZPpKAjaji8y3/vpIxDozUqfzrwi/p8O9UUOOHBgekvmy4eaXth 0MixWIonvdBbSrU+arFKioTn/IMYSUbGkCru10jcAdFij/S/yJuZLFiOgZ0qThTS13E1 NbFf5aK6sj27QaCNbYcq5sqlGPNTd3oPgC2kYC3YU6CawGQAiVb5IdwLOls/bfZPZZIM 2IETT9J+nUqyBGdykyWqgqVo7h7AcBkGJZx78FOj0GNVBHRaWBS0kJzjtUDKtJhnaVpG 5pRZeZJXHnVSvqeNch7ncr9Rkhwc4tDsFzZcYURwgLxzd+/UpII0IWmXlkoFV7oL3zrF QKpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361672; x=1764966472; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=etVFMVMejQUHSW8U5QEjl3F3uF7Axh/LtXSgCmG231o=; b=UCndyOn7Hj+DbYWqWnoDJHWc2s7jmPc67DF2LnvnZBLA60RXl9dtL3TtctyhLQdDVk iNmUj0e+IhkE4+Fjo8YDRXTFqSuDs49NnIPKBHyDwYqOADKGkoQ85SLYVT3qs8v2hI8/ Kqf4dtCDme63pFnph4GovlkUCNyM6mhQ8zgA/efdziLJML0rS2Rgl//Y6zSOf+pbmP+2 8rFnFgcBqyVDA6FM1p31vKyouLJTMjae6vBixTamnRWzWI5mw/zeFb8GT+vkK4BF6q7b PVcwF1nRHYs03zHoJ2Gm5G0xbyFLAe7s3DFFHm5DRxUb5NUNFj4eFPObcKPSZXXOxs28 2xuw== X-Gm-Message-State: AOJu0YwpJbc+cErOxSrTbXbLKoB5lP/ZxVNowkCKxaax+Zw1n+hX5Lpo m2FQPOLwwAv5wOTMWkCiGVhCcTHSrlBddu6F+hgJWrU0ScEuYnQBLdgqA/CBYA== X-Gm-Gg: ASbGnctZPD3ZdZqquMr7jmnllLXXytTydfvLePDAWwa04/aUA2J/5GyhopxWoDB6TP6 Rn5If8DiSm0kz1KkGoaBXAsR046lYH6X/WIfIWwTdHt9OA3EfMZv92seGsXOdKHhrMV5b6rqzKl uRTnzlEmbj/0hxOvVUKhLgA/sWw2gpBrnJ48LJydcBmJVFkbaF9gW3DqJbtsR8Cggbdb2XGyrjo 2Bms5TWVF2AUSiXrzlPFNzphfwRUtVdbAz6UL5d/5cQIoots5L+3U1tqNA2C27EcLHhP56PsT2s CVtTsk/G7HoosSK7rByoyCnvXSvrVg5UuiZ4BJZj/t4J3dnvOgEo0aoykIEYKxq5EatcKb7yApe 6zRvQRyNm1T9EwKiy3o/k9E4a0KusD1pBuhice5ldt4CuAiIFO/VvoBf+0bZhWMR2peL1/JVdj0 U3tCVhexP8CLuat969IRuizvgi/RPAnxinThLr72TaQcNtok/1NTZvbVIcRudHvds+xwGkZR+v1 GLiKs56fYu22bnP6KVzWxTEoBU= X-Google-Smtp-Source: AGHT+IFbx1R4ZQUDpp3ep1r1eb2UOUosdqZN11hyMhf40FF6i61LljjWzfrVbLn4wQ6siZ+y3brmfA== X-Received: by 2002:a53:5a07:0:b0:641:f5bc:694c with SMTP id 956f58d0204a3-64302aeade0mr15205905d50.80.1764361671085; Fri, 28 Nov 2025 12:27:51 -0800 (PST) Received: from [10.138.34.110] (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6433c484722sm1808662d50.23.2025.11.28.12.27.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Nov 2025 12:27:50 -0800 (PST) Message-ID: Date: Fri, 28 Nov 2025 15:27:46 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v5 11/13] Support updates via systemd-sysupdate To: Alyssa Ross References: <20251126-updates-v5-0-fd746748febd@gmail.com> <20251126-updates-v5-11-fd746748febd@gmail.com> <87zf86nuay.fsf@alyssa.is> Content-Language: en-US From: Demi Marie Obenour Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT In-Reply-To: <87zf86nuay.fsf@alyssa.is> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------2tdfx7GZRZBnG008IA2eKO8M" Message-ID-Hash: FZMZD6OWVENAT3SGNDP73ZD365YXPM7A X-Message-ID-Hash: FZMZD6OWVENAT3SGNDP73ZD365YXPM7A X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------2tdfx7GZRZBnG008IA2eKO8M Content-Type: multipart/mixed; boundary="------------drYF6rmFUrV2whz99s0CAWLv"; protected-headers="v1" From: Demi Marie Obenour To: Alyssa Ross Cc: Spectrum OS Development Message-ID: Subject: Re: [PATCH v5 11/13] Support updates via systemd-sysupdate References: <20251126-updates-v5-0-fd746748febd@gmail.com> <20251126-updates-v5-11-fd746748febd@gmail.com> <87zf86nuay.fsf@alyssa.is> In-Reply-To: <87zf86nuay.fsf@alyssa.is> Autocrypt-Gossip: addr=hi@alyssa.is; keydata= xsFNBFpSgoYBEAC4xkCYidG2JlRWulUkTWcx0pHFDf3oSbb6Q872Kb3iDChWgluNVz43hva1 3xfDo9foV0GoyfGl/ycSCkXX5hlQr7ir/5FN38E7H/yY6tH8+l68iDgIOcb1qY0OYaxyg+Lz WesfFQedrmwNTbF4L1BtWzrTR5PflDdhDo5VWSguHGJFSclchcr/6UmMb/gOUN+2ElBC2TE2 EKY099phZ6DJZ2aZCsclwKIdCpZzXlEmXPAeaH5om6xo90JYv5+sFji40R0Plqec3WC+jTxy lGca6IbPdOminuUF+GvsR86eVsgh/0XNK7/zus7gyc4PuMUA1rCoeHcWOBDPgmelgCQyJGXd /bXeKuUsGoge58uc7/YNvOh1vfpD3AaEMqAyXfmmUwBnIicml74+2eOpH3Oljfs01g+DhkOB MtpVSZSgaIDvP0WG6cbAxImoUasnmNxEDNskfVmI8bsajPW9bt4z5hiP5Q9G3vE0D5HcIFdM adOz81PpOwNiUXcjtYV1PWZQ56jbSTOf8EBvsB71WwB+XgVWcPzIlY8hAykiHIO87oV3o71U JTAn1Foj7mjSADnY0deleOmar/K5jrK3wvKKM1XlB7PXcGBdkorJC+cbxVsw0ADzMw0c7bVc wEE7OFvHjQiIK1lO+lb1cvGBBY3IZxjsjZdA/VsFHFdAeYlzNQARAQABzRpBbHlzc2EgUm9z cyA8aGlAYWx5c3NhLmlzPsLBlwQTAQgAQQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZ ARYhBHVzVtd5u7iIdz5BXnNszfnvUb2XBQJpALHXBQkPJNZRAAoJEHNszfnvUb2X2jEP/AqQ aafKiC7ormevgoCH4QinAKJoXAqiwOIdRK55HOvyhGWjnlzqoK4JTUFVRMR4Vat/APlkjOUk LPXKk+DCn4loFyl7BCLvsk4Xwy7WmXyfSPqjdik8/cjTv/Q4AHTYTpnx7GMC5eTS7ULmUvcf mD/JRr7NM2273Z7dkL3gOeZdnXYOQaGAIIox91qCtmnQhn+V7s3uxvcRl8I2/Qnn3S2veV03 LXSugAXSTdKRa7LBrcSm9TtC/D3qY9kStHiaiB/eAJsOQ0l5yRfax5INorE2DQgBKjbiBcnQ mTX7Rl9LW+U0ibHmKOFG8Zs+zKlmItek49cmqoGOv66RAY6dGUOHoEQgP0EUDJ8xGwActToC lOGZrzcXfrfx0CYlgqYE1VEWgSmtbTW1DBXiZIPKUMLJGhgaIHSKEjYujHd+vGytAMGKQsVQ OwgOMHYWyzAIB/Y6hZGNK8y5fxr468zX876mDdXhYo4dKA7UEOeQOlAIGobTXDRFEC7B/UAj qYbP+qmnyUohCy/Pf04cF0ucpWW2Z00sBL83lauhyQHiLze5OznvOeEkEeXQ6DsJOY0dmrsi 0NJZ1QoyYewXOPmPBNc7IesY1MjrpAnHgeAt1rgEPwTkt4NrRASsPe5JowJcc7CpIdR8eOrG hrw+bEMyoyjk7fN6Hs6MK+hVihMNhUwMzjgEZyd/yxIKKwYBBAGXVQEFAQEHQCVxoiHOlsEo NDKGCbxg4nL3E1CV0MRQCU1hPowd77h3AwEIB8LBfAQYAQoAJgIbDBYhBHVzVtd5u7iIdz5B XnNszfnvUb2XBQJpALHQBQkCT9j5AAoJEHNszfnvUb2XhSMP/0gStw42LjpjVLh+0HKWafs3 T9NJxtefYRbyu4wkkO0dss2pkl9gekZnvgktD0SzIe8AiMszs1rUWMG8zPXVWdMi7tSNm/IR WPa0XZDIoDwJY4T342nCvHeDsfoJnGg8o0nreI2djwO8sc9aeSevm60MQ9AouFBpS6Qw7f/Z LalXH4aWCCtvAO1o95lQXEoH4Lg4qnS6GxYMYi1u3IzrYdUu0By/Ccc5+AOOICgbJnpOoYQI bVDbdjMkj18JxxmpN5amOkPdiDndpzWkWm+oNhGUITYp6EuP1esRb35MgOmFGouvt5UdKpEl Egs2y5h9oR+kiiu9DhrC0UFL2CQ/HdiukCAxADKX3RE9m+mprSbvw7CsYmXUTH6WzPpvxpGx wQq7m2O7uy85u0HyVYkiWQiAfwCbEr1vrFU7gscBW+FcrLIODauovA9eZgA4d+cHRXfzsdKW u/QuVHsABh78LLIq008GcqJChSe4KHrJ5PUjkLnyp/Sshrmuyoy+DwqYky0KK4NtkaWa2o0B TFp+Kk2VCxWA8i/azPvTMzXOWNwqogISp5SwljiEx0hkyf0HvSb3gHfuGbZ+eGfWB+qy2pTD x/YriV5EfqkP+4+1cqXjasrQxyZUW0ULRke0j92Cgt+J722PIcOAb8vdSGF4AXczO+KMtNn9 wGxvGU7TX5ou --------------drYF6rmFUrV2whz99s0CAWLv Content-Type: multipart/mixed; boundary="------------sg48bWKCPx5NOjCLCL9d3MYR" --------------sg48bWKCPx5NOjCLCL9d3MYR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/28/25 08:47, Alyssa Ross wrote: > Demi Marie Obenour writes: >=20 >> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile >> index a6d9f23e9f5277b7c79a53105eb2dfe1bab1451e..74ff64019560aae6387df0= e1b3409bc174251bdb 100644 >> --- a/host/rootfs/Makefile >> +++ b/host/rootfs/Makefile >> @@ -10,6 +10,7 @@ include file-list.mk >> ROOT_FS =3D build >> =20 >> DIRS =3D \ >> + boot \ >> dev \ >> etc/s6-linux-init/env \ >> etc/s6-linux-init/run-image/configs \ >> @@ -33,13 +34,15 @@ DIRS =3D \ >> etc/s6-linux-init/run-image/vm/by-id \ >> etc/s6-linux-init/run-image/vm/by-name \ >> ext \ >> + home \ >> proc \ >> run \ >> - sys >> + sys \ >> + tmp >> =20 >> FIFOS =3D etc/s6-linux-init/run-image/service/s6-svscan-log/fifo >> =20 >> -BUILD_FILES =3D build/etc/s6-rc >> +BUILD_FILES =3D build/etc/s6-rc build/etc/os-release build/etc/update= -url >> =20 >> # This rule produces three files but Make only (portably) >> # supports one output per rule. Instead of resorting to temporary >> @@ -59,12 +62,22 @@ $(ROOT_FS_IMAGE): ../../scripts/make-erofs.sh $(PA= CKAGES_FILE) $(FILES) $(BUILD_ >> mkdir -p $(ROOT_FS) && \ >> { \ >> cat $(PACKAGES_FILE) ;\ >> + printf '%s\n%s\n' "$$UPDATE_SIGNING_KEY" /etc/systemd/import-pub= ring.gpg; \ >=20 > Inconsistent use of shell variable instead of make macro. >=20 >> for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file "$${f= ile#image/}"; done ;\ >> for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#= build/}; done ;\ >> printf 'build/empty\n%s\n' $(DIRS) ;\ >> printf 'build/fifo\n%s\n' $(FIFOS) ;\ >> } | ../../scripts/make-erofs.sh $@ >> =20 >> +build/etc/update-url: >> + mkdir -p build/etc >> + # might have metacharacters, so avoid interpolation >> + printf %s\\n "$${UPDATE_URL:?'update URL empty or missing'}" > build= /etc/update-url >=20 > I'm learning so many shell parameter expansions I didn't know from you = :) >=20 >> diff --git a/host/rootfs/image/usr/bin/spectrum-update b/host/rootfs/i= mage/usr/bin/spectrum-update >> new file mode 100755 >> index 0000000000000000000000000000000000000000..613b43570d0538fce20296= ccb1de2a6364e0df55 >> --- /dev/null >> +++ b/host/rootfs/image/usr/bin/spectrum-update >> @@ -0,0 +1,92 @@ >> +#!/bin/execlineb -WS1 >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +if { mkdir -p -m 0700 /run/updater } >> + >> +# Take a global lock to avoid races. >> +s6-setlock /run/update-lock >> + >> +foreground { redirfd -w 2 /dev/null rmdir -- $1 } >> +if { umask 0077 mkdir -p -- $1 } >> +cd $1 >> +foreground { >> + # If this exists already that is okay. >> + foreground { redirfd -w 2 /dev/null btrfs subvolume create -- share= d } >> + >> + # Delete any stale temporary files. Delete any existing signature >> + # files. If the VM is still running (it should not be), the VM mig= ht >> + # have write access to the directory. However, updates-dir-check i= s >> + # safe against that. >> + if { updates-dir-check cleanup shared } >> + >> + if { >> + foreground { >> + # TODO: suppress only "subvolume does not exist" errors. >> + redirfd -w 2 /dev/null >> + btrfs subvolume delete snapshot >> + } >> + rm -f snapshot >> + } >> + >> + backtick -E update_vm_id { >> + backtick -E id_path { readlink /run/vm/by-name/sys.appvm-systemd-= sysupdate } >> + basename -- $id_path >> + } >> + >> + # $fsdir is read-only to the guest, but read-write to the host. >> + # Directories bind-mounted into it are read-write to the guest. >> + # See etc/s6-linux-init/run-image/service/vhost-user-fs/template/ru= n >> + # for details. >> + >=20 > This still refers to a non-existent variable. >=20 >> + # Set up /etc with what the VM needs. The VM will overlay this >> + # on its own /etc. >> + # >> + # In the future, this should use a bind mount instead of copying >> + # into a tmpfs. However, this would significantly complicate the >> + # cleanup code. Deleting fs/etc would require undoing the bind >> + # mounts instead of rm -rf. Once this code is in a separate mount >> + # namespace, the copies should be replaced by bind mounts. >> + if { >> + if { rm -rf -- /run/vm/by-id/${update_vm_id}/fs/etc } >> + umask 022 >> + if { mkdir -p -- /run/vm/by-id/${update_vm_id}/fs/updates /run/vm= /by-id/${update_vm_id}/fs/etc/systemd } >> + if { cp -R -- /etc/vm-sysupdate.d /etc/update-url /run/vm/by-id/$= {update_vm_id}/fs/etc } >> + cp -- /etc/systemd/import-pubring.gpg /run/vm/by-id/${update_vm_i= d}/fs/etc/systemd >> + } >> + >> + # If the directory is already mounted, unmount it. This prevents a= >> + # confusing error from mount. >> + foreground { redirfd -w 2 /dev/null umount -- /run/vm/by-id/${updat= e_vm_id}/fs/updates } >> + >> + # Share the update directory with the VM. >> + if { mount --bind -- shared /run/vm/by-id/${update_vm_id}/fs/update= s } >> + >> + # Start the update VM. >> + if { vm-start $update_vm_id } >> + >> + # Wait for the VM to exit. >> + # TODO: This is racy. If the update finishes before this code runs= , >> + # the s6-svwait call will fail. >> + if { s6-svwait -D /run/service/vmm/instance/${update_vm_id} } >> + >> + # Remove the bind mount. >> + if { umount -- /run/vm/by-id/${update_vm_id}/fs/updates } >> + >> + # Ensure that the VM cannot change the directory >> + # while systemd-sysupdate is using it. >> + if { btrfs subvolume snapshot -- shared snapshot } >> + >> + # Validate the update directory. Delete any stale temporary files.= >> + # Check that a signature file was downloaded. >> + if { updates-dir-check check snapshot } >> + >> + unshare --mount >> + if { mount --bind -o ro -- snapshot /run/updater } >> + >> + /usr/lib/systemd/systemd-sysupdate update >=20 > Why not just make a readonly snapshot? > (btrfs subvolume snapshot -r) The checker will delete any temporary files it comes across, so it needs write access. A snapshot is much heavier than a bind mount and isn't automatically cleaned up. >> diff --git a/vm/app/systemd-sysupdate/default.nix b/vm/app/systemd-sys= update/default.nix >> new file mode 100644 >> index 0000000000000000000000000000000000000000..69be0bab500ea2ea6cb3b6= d71edbf1a3e7bddbba >> --- /dev/null >> +++ b/vm/app/systemd-sysupdate/default.nix >> @@ -0,0 +1,26 @@ >> +# SPDX-License-Identifier: MIT >> +# SPDX-FileCopyrightText: 2023 Alyssa Ross >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +import ../../../lib/call-package.nix ( >> +{ callSpectrumPackage, curl, lib, src >> +, runCommand, systemd, writeScript >> +}: >> + >> +let >> + downloadUpdate =3D builtins.path { >> + name =3D "download-update"; >> + path =3D ./download-update; >> + }; >=20 > builtins.path is overkill here surely, as opposed to just writing > ${./download-update} below? ${./download-update} includes the working directory in the Nix store hash, which means that renaming your source tree forces an unnecessary rebuild. builtins.path is the standard way to avoid this. >> +in >> + >> +callSpectrumPackage ../../make-vm.nix {} { >> + providers.net =3D [ "sys.netvm" ]; >> + type =3D "nix"; >> + run =3D writeScript "run-script" '' >> +#!/usr/bin/env -S execlineb -WS0 >=20 > #!/bin/execlineb -WS0 would be fine =E2=80=94 we know that'll exist in = the VM. Will fix. >> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd= -sysupdate/download-update >> new file mode 100755 >> index 0000000000000000000000000000000000000000..eada41c6c8ad5edcedd9f4= d76b76492e0b8be826 >> --- /dev/null >> +++ b/vm/app/systemd-sysupdate/download-update >> @@ -0,0 +1,68 @@ >> +#!/usr/bin/env -S execlineb -WS0 >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> +export LC_ALL C >> +export LANGUAGE C >> +if { mount -toverlay -olowerdir=3D/run/virtiofs/virtiofs0/etc:/etc --= overlay /etc } >> +backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX } >> +# Not a useless use of cat: if there are NUL bytes in the URL >> +# busybox's awk might misbehave. >> +backtick update_url { cat /etc/update-url } >> +if { >> + backtick sed_rhs { >> + # Use awk to both validate the URL and to escape sed metacharacte= rs. >> + # Reject URLs with control characters, query parameters, or fragm= ents. >> + # They *cannot* work and so are rejected to produce better error = messages. >> + # >> + # curl rejects control characters with "Malformed input to a URL = function". >> + # Fragment specifiers ("#") and query parameters ("?") break conc= atenating >> + # /SHA256SUMS and /SHA256SUMS.sha256.asc onto the update URL. Al= so, it is >> + # simpler to reject update URLs that contain whitespace than to t= ry to >> + # escape them. >> + # >> + # Backslash needs to be escaped once for systemd-sysupdate and ag= ain for sed. >> + # Ampersand needs to be escaped once for sed. >> + awk "BEGIN { >> + update_url =3D ENVIRON[\"update_url\"]; >> + if (update_url ~ /^[^\\001-\\040?#\\x7F]+$/) { >> + # Use & to avoid extra escaping (16 or 32 backslashes!) >> + # and a divergence between POSIX and GNU awk. >> + gsub(/\\\\/, \"&&&&\", update_url); >> + gsub(/&/, \"\\\\\\\\&\", update_url); >> + print update_url; >> + exit 0; >> + } else { >> + print ARGV[2] > \"/dev/stderr\"; >> + exit 100; >> + } >> + }" -- $3 >> + "Bad update URL from host: control characters, whitespace, query = parameters, and fragment specifiers not allowed" >> + } >> + elglob -w -0 transfer_file_ /etc/vm-sysupdate.d/*.transfer >> + forx -E transfer_file { $transfer_file_ } >> + backtick target_basename { >> + basename -- $transfer_file >> + } >> + multisubstitute { >> + importas -iuS sed_rhs >> + importas -iuS target_basename >> + importas -iuS tmpdir >> + define sed_input $transfer_file >> + } >=20 > You could avoid some serial substitution here if you wanted, by not > passing -E to forx: >=20 > forx transfer_file { $transfer_file_ } > backtick target_basename { > importas -iuS transfer_file > basename -- $transfer_file > } > multisubstitute { > =E2=80=A6 > } I considered it and decided that the extra define in the multisubstitute was cheaper than the extra importas process. >> + redirfd -w 1 ${tmpdir}/${target_basename} >> + sed -E -- "s#@UPDATE_URL@#${sed_rhs}#g" $sed_input >=20 > Using awk to escape stuff for sed seems a bit Rube Goldberg. Would it > make more sense to just do the replacement in the awk program? Actuall= y > a lot of this might be nicer in awk than execline? Feel free to tell m= e > to leave it this way for now, though. I'd prefer to leave it this way for now. Maybe add a TODO to clean this up. >> +} >> +multisubstitute { >> + importas -iuS update_url >> + importas -iuS CURL_PATH >> + importas -iuS SYSTEMD_SYSUPDATE_PATH >> + importas -iuS tmpdir >> +} >> +if { $SYSTEMD_SYSUPDATE_PATH --definitions=3D${tmpdir} update } >> +# [ and ] are allowed in update URLs so that IPv6 addresses work, but= >> +# they cause globbing in the curl command-line tool by default. Use = --globoff >> +# to disable this feature. >> +if { $CURL_PATH -L --proto-redir =3Dhttp,https --globoff >> + -o /run/virtiofs/virtiofs0/updates/SHA256SUMS -- ${update_url}/S= HA256SUMS } >> +$CURL_PATH -L --proto-redir =3Dhttp,https --globoff >> + -o /run/virtiofs/virtiofs0/updates/SHA256SUMS.sha256.asc -- ${up= date_url}/SHA256SUMS.sha256.asc >=20 > Much easier to understand now. Thanks! You're welcome! --=20 Sincerely, Demi Marie Obenour (she/her/hers) --------------sg48bWKCPx5NOjCLCL9d3MYR Content-Type: application/pgp-keys; name="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Disposition: attachment; filename="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49y B+l2nipdaq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYf bWpr/si88QKgyGSVZ7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/ UorR+FaSuVwT7rqzGrTlscnTDlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7M MPCJwI8JpPlBedRpe9tfVyfu3euTPLPxwcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9H zx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR6h3nBc3eyuZ+q62HS1pJ5EvU T1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl5FMWo8TCniHynNXs BtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2Bkg1b//r 6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nS m9BBff0Nm0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQAB zTxEZW1pIE9iZW5vdXIgKElUTCBFbWFpbCBLZXkpIDxhdGhlbmFAaW52aXNpYmxl dGhpbmdzbGFiLmNvbT7CwY4EEwEIADgWIQR2h02fEza6IlkHHHGyiLVf/5wiwQUC X6YJvQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCyiLVf/5wiwWRhD/0Y R+YYC5Kduv/2LBgQJIygMsFiRHbR4+tWXuTFqgrxxFSlMktZ6gQrQCWe38WnOXkB oY6n/5lSJdfnuGd2UagZ/9dkaGMUkqt+5WshLFly4BnP7pSsWReKgMP7etRTwn3S zk1OwFx2lzY1EnnconPLfPBc6rWG2moA6l0WX+3WNR1B1ndqpl2hPSjT2jUCBWDV rGOUSX7r5f1WgtBeNYnEXPBCUUM51pFGESmfHIXQrqFDA7nBNiIVFDJTmQzuEqIy Jl67pKNgooij5mKzRhFKHfjLRAH4mmWZlB9UjDStAfFBAoDFHwd1HL5VQCNQdqEc /9lZDApqWuCPadZN+pGouqLysesIYsNxUhJ7dtWOWHl0vs7/3qkWmWun/2uOJMQh ra2u8nA9g91FbOobWqjrDd6x3ZJoGQf4zLqjmn/P514gb697788e573WN/MpQ5XI Fl7aM2d6/GJiq6LC9T2gSUW4rbPBiqOCeiUx7Kd/sVm41p9TOA7fEG4bYddCfDsN xaQJH6VRK3NOuBUGeL+iQEVF5Xs6Yp+U+jwvv2M5Lel3EqAYo5xXTx4ls0xaxDCu fudcAh8CMMqx3fguSb7Mi31WlnZpk0fDuWQVNKyDP7lYpwc4nCCGNKCj622ZSocH AcQmX28L8pJdLYacv9pU3jPy4fHcQYvmTavTqowGnM08RGVtaSBNYXJpZSBPYmVu b3VyIChsb3ZlciBvZiBjb2RpbmcpIDxkZW1pb2Jlbm91ckBnbWFpbC5jb20+wsF4 BBMBAgAiBQJafgNKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyiLVf /5wiwYa/EACv8a2+MMou9cSCNoZBQaU+fTmyzft9hUE+0d5W2UY1RY3OsjFIzm9R /4SVccfsqOYLEo+S0vQMIIIqFEq3FCpXXwPzyimotps05VA8U3Bd7yseojFygOgK sAMOAee2RCaDDOnoJue01dfZMzzHPO/TVdp3OvnpWipfv5G1Xg96rwbhMLE3tg6N xwAHa31Bv4/Xq8CJOoIWvx6fcmZQpz01/lSvsYn0KrfEbTKkuUf0vM9JrCTCP2oz VNN5BYzqaq2M4r+jmSyeXLim922VOWqGkUEQ85BSEemqrRS06IU6NtEMsF8EWt/b hWjk/9GDKTcnpdJHTrMxTspExBiNrvpI2t+YPU5B/dJJAUxvmhFrbSIbdB8umBZs I3AMYrEmpAbh5x7jEjoskUC7uN3o9vpg1oCLS2ePDLtAtyBtbHnkA4xGD7ar8mem xpH9lY/i+sC6CyyIUWcUDnnagKyJP0m9ks0GLsTeOCA0bft2XA6rD6aaCnMUsndT ctrab42CV5XypjmC4U1rPJ8JQJUh1/3P48/8sMH+3krxpJ06KNWNFaUbaMTGiltZ 7x9DngklSYrX0T+2G4kVXNmjaljwkoLahwLla2gUWwBSyofXdqyhQdwZsp01KXNQ UCyT/Pg+aDcm/E7OMV3d4lf7g/CSxiX2GSEe6BlhSz+Lmd7ZJ3g32M1ARGVtaSBN YXJpZSBPYmVub3VyIChJVEwgRW1haWwgS2V5KSA8ZGVtaUBpbnZpc2libGV0aGlu Z3NsYWIuY29tPsLBjgQTAQgAOBYhBHaHTZ8TNroiWQcccbKItV//nCLBBQJgOEV+ AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELKItV//nCLBKwoP/1WSnFdv SAD0g7fD0WlF+oi7ISFT7oqJnchFLOwVHK4Jg0e4hGn1ekWsF3Ha5tFLh4V/7UUu obYJpTfBAA2CckspYBqLtKGjFxcaqjjpO1I2W/jeNELVtSYuCOZICjdNGw2Hl9yH KRZiBkqc9u8lQcHDZKq4LIpVJj6ZQV/nxttDX90ax2No1nLLQXFbr5wb465LAPpU lXwunYDij7xJGye+VUASQh9datye6orZYuJvNo8Tr3mAQxxkfR46LzWgxFCPEAZJ 5P56Nc0IMHdJZj0Uc9+1jxERhOGppp5jlLgYGK7faGB/jTV6LaRQ4Ad+xiqokDWp mUOZsmA+bMbtPfYjDZBz5mlyHcIRKIFpE1l3Y8F7PhJuzzMUKkJi90CYakCV4x/a Zs4pzk5E96c2VQx01RIEJ7fzHF7lwFdtfTS4YsLtAbQFsKayqwkGcVv2B1AHeqdo TMX+cgDvjd1ZganGlWA8Sv9RkNSMchn1hMuTwERTyFTr2dKPnQdA1F480+jUap41 ClXgn227WkCIMrNhQGNyJsnwyzi5wS8rBVRQ3BOTMyvGM07j3axUOYaejEpg7wKi wTPZGLGH1sz5GljD/916v5+v2xLbOo5606j9dWf5/tAhbPuqrQgWv41wuKDi+dDD EKkODF7DHes8No+QcHTDyETMn1RYm7t0RKR4zsFNBFp+A0oBEAC9ynZI9LU+uJkM eEJeJyQ/8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd 8xD57ue0eB47bcJvVqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPp I4gfUbVEIEQuqdqQyO4GAe+MkD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalq l1/iSyv1WYeC1OAs+2BLOAT2NEggSiVOtxEfgewsQtCWi8H1SoirakIfo45Hz0tk /Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJriwoaRIS8N2C8/nEM53jb1sH 0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcNfRAIUrNlatj9Txwi vQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6dCxN0GNA ORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog 2LNtcyCjkTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZA grrnNz0iZG2DVx46x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJ ELKItV//nCLBwNIP/AiIHE8boIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwj jVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGjgn0TPtsGzelyQHipaUzEyrsceUGWYoKX YyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8frRHnJdBcjf112PzQSdKC6kqU0 Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2E0rW4tBtDAn2HkT9 uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHMOBvy3Ehz fAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVss Z/rYZ9+51yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aW emLLszcYz/u3XnbOvUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPt hZlDnTnOT+C+OTsh8+m5tos8HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj 6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E+MYSfkEjBz0E8CLOcAw7JIwAaeBTzsFN BGbyLVgBEACqClxh50hmBepTSVlan6EBq3OAoxhrAhWZYEwN78k+ENhK68KhqC5R IsHzlL7QHW1gmfVBQZ63GnWiraM6wOJqFTL4ZWvRslga9u28FJ5XyK860mZLgYhK 9BzoUk4s+dat9jVUbq6LpQ1Ot5I9vrdzo2p1jtQ8h9WCIiFxSYy8s8pZ3hHh5T64 GIj1m/kY7lG3VIdUgoNiREGf/iOMjUFjwwE9ZoJ26j9p7p1U+TkKeF6wgswEB1T3 J8KCAtvmRtqJDq558IU5jhg5fgN+xHB8cgvUWulgK9FIF9oFxcuxtaf/juhHWKMO RtL0bHfNdXoBdpUDZE+mLBUAxF6KSsRrvx6AQyJs7VjgXJDtQVWvH0PUmTrEswgb 49nNU+dLLZQAZagxqnZ9Dp5l6GqaGZCHERJcLmdY/EmMzSf5YazJ6c0vO8rdW27M kn73qcWAplQn5mOXaqbfzWkAUPyUXppuRHfrjxTDz3GyJJVOeMmMrTxH4uCaGpOX Z8tN6829J1roGw4oKDRUQsaBAeEDqizXMPRc+6U9vI5FXzbAsb+8lKW65G7JWHym YPOGUt2hK4DdTA1PmVo0DxH00eWWeKxqvmGyX+Dhcg+5e191rPsMRGsDlH6KihI6 +3JIuc0y6ngdjcp6aalbuvPIGFrCRx3tnRtNc7He6cBWQoH9RPwluwARAQABwsOs BBgBCgAgFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmbyLVgCGwICQAkQsoi1X/+c IsHBdCAEGQEKAB0WIQSilC2pUlbVp66j3+yzNoc6synyUwUCZvItWAAKCRCzNoc6 synyU85gD/0T1QDtPhovkGwoqv4jUbEMMvpeYQf+oWgm/TjWPeLwdjl7AtY0G9Ml ZoyGniYkoHi37Gnn/ShLT3B5vtyI58ap2+SSa8SnGftdAKRLiWFWCiAEklm9FRk8 N3hwxhmSFF1KR/AIDS4g+HIsZn7YEMubBSgLlZZ9zHl4O4vwuXlREBEW97iL/FSt VownU2V39t7PtFvGZNk+DJH7eLO3jmNRYB0PL4JOyyda3NH/J92iwrFmjFWWmmWb /Xz8l9DIs+Z59pRCVTTwbBEZhcUc7rVMCcIYL+q1WxBG2e6lMn15OQJ5WfiE6E0I sGirAEDnXWx92JNGx5l+mMpdpsWhBZ5iGTtttZesibNkQfd48/eCgFi4cxJUC4PT UQwfD9AMgzwSTGJrkI5XGy+XqxwOjL8UA0iIrtTpMh49zw46uV6kwFQCgkf32jZM OLwLTNSzclbnA7GRd8tKwezQ/XqeK3dal2n+cOr+o+Eka7yGmGWNUqFbIe8cjj9T JeF3mgOCmZOwMI+wIcQYRSf+e5VTMO6TNWH5BI3vqeHSt7HkYuPlHT0pGum88d4a pWqhulH4rUhEMtirX1hYx8Q4HlUOQqLtxzmwOYWkhl1C+yPObAvUDNiHCLf9w28n uihgEkzHt9J4VKYulyJM9fe3ENcyU6rpXD7iANQqcr87ogKXFxknZ97uEACvSucc RbnnAgRqZ7GDzgoBerJ2zrmhLkeREZ08iz1zze1JgyW3HEwdr2UbyAuqvSADCSUU GN0vtQHsPzWl8onRc7lOPqPDF8OO+UfN9NAfA4wl3QyChD1GXl9rwKQOkbvdlYFV UFx9u86LNi4ssTmU8p9NtHIGpz1SYMVYNoYy9NU7EVqypGMguDCL7gJt6GUmA0sw p+YCroXiwL2BJ7RwRqTpgQuFL1gShkA17D5jK4mDPEetq1d8kz9rQYvAR/sTKBsR ImC3xSfn8zpWoNTTB6lnwyP5Ng1bu6esS7+SpYprFTe7ZqGZF6xhvBPf1Ldi9UAm U2xPN1/eeWxEa2kusidmFKPmN8lcT4miiAvwGxEnY7Oww9CgZlUB+LP4dl5VPjEt sFeAhrgxLdpVTjPRRwTd9VQF3/XYl83j5wySIQKIPXgT3sG3ngAhDhC8I8GpM36r 8WJJ3x2yVzyJUbBPO0GBhWE2xPNIfhxVoU4cGGhpFqz7dPKSTRDGq++MrFgKKGpI ZwT3CPTSSKc7ySndEXWkOYArDIdtyxdE1p5/c3aoz4utzUU7NDHQ+vVIwlnZSMiZ jek2IJP3SZ+COOIHCVxpUaZ4lnzWT4eDqABhMLpIzw6NmGfg+kLBJhouqz81WITr EtJuZYM5blWncBOJCoWMnBEcTEo/viU3GgcVRw=3D=3D =3Dx94R -----END PGP PUBLIC KEY BLOCK----- --------------sg48bWKCPx5NOjCLCL9d3MYR-- --------------drYF6rmFUrV2whz99s0CAWLv-- --------------2tdfx7GZRZBnG008IA2eKO8M Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmkqBcMACgkQszaHOrMp 8lMBdw/9FEYhEJ2qzm0yktsmJx4CGD4UEPRvOSoT+K03EKgarpdwm+Naz+Z4F0X6 eI/czDA1wp5PmpGJApd+z2c1TLDArglLGihdjcbfbOtD0qb874L87z/EBHZwIZ0y LtKxQ5AbM57ivmuL9s0D0CEZqsMdAv3bUQlidliP8uQyNmn71tvU1KoPW3PIUy6U yihtUXOxX1zwkbOqng8D4eHh63ikumPEXm1f0M2j0DlW9vP3HkKK1SrUnqdAOZ8e NF7mQr4Sc8xblbtY0ZGHFSoy162J4hMnkfkEPrRoiPV2aDZio70jyzwQWxl6WZOC 0Y1owBLHJhS+knOuNXTtb9Xq7GJn2CZGVgMuNmSh0r0MizycVoYrMdMFEYUY8L1+ cRdgM4AnjYJaVsrq1sep2XA9j36QUpacZ197QLGlScm5lmD2+9vDedsiR0+CSb+T fNWg5MVlmb1kbCbPgBezGhdLhaI/n2yhBG5zxScHm3rcuORN3pDzVL0AnWR9S+oG THg1c38N3elak+SkD3ebyQXBtDl4aF5/Po1jr9A2MEm59Y/qSHblCXU3OSaeVJ1a MrjqcZvfTv8xnFERNhF+eQOdXULOKwVdlAuNSYn7mzsC/UOp6r4hhxXLKi+dqu7s RueePr0SIBHocdVzRRr6f5nCc5CwW4ks1venkoYVY82L+5Wkhs4= =pvIG -----END PGP SIGNATURE----- --------------2tdfx7GZRZBnG008IA2eKO8M--